From 352495f6292bb10122dc4859919253695eea7648 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Mon, 3 Jun 2013 21:20:41 -0400 Subject: Fix PHP out-of-memory error with large rule sets and IPS Policy display --- config/snort/snort.inc | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) (limited to 'config') diff --git a/config/snort/snort.inc b/config/snort/snort.inc index cf36ca86..0f0a24e4 100755 --- a/config/snort/snort.inc +++ b/config/snort/snort.inc @@ -39,6 +39,9 @@ require_once("pkg-utils.inc"); // Needed on 2.0 because of filter_get_vpns_list() require_once("filter.inc"); +// Snort GUI needs some extra PHP memory space to manipulate large rules arrays +ini_set("memory_limit", "192M"); + // Explicitly declare these as global so they work through function call includes global $snort_rules_file, $snort_version, $emerging_threats_version, $snort_rules_upd_log; global $all_rules, $flowbit_rules_file, $snort_enforcing_rules_file, $rebuild_rules, $is_postinstall; @@ -1529,20 +1532,21 @@ function snort_load_vrt_policy($policy, $load_rules_map=true) { $snortdir = SNORTDIR; $vrt_policy_rules = array(); - /* Create regular expression for searching. */ - $policy_pcre = "/policy\\s" . $policy . "/i"; - /* Refresh the map of all the rules if flag */ /* is set. */ - if ($load_rules_map == true) - $all_rules = snort_load_rules_map("{$snortdir}/rules/"); + if ($load_rules_map) { + /* Since only Snort VRT rules have IPS Policy metadata, */ + /* limit our search to just those files. */ + $snort_vrt_files = glob("{$snortdir}/rules/snort_*.rules"); + $all_rules = array(); + $all_rules = snort_load_rules_map($snort_vrt_files); + } - /* Now walk the rules list and find all those */ - /* that are defined as active for the chosen */ - /* security policy. */ + /* Now walk the rules list and find all those that are defined */ + /* defined as active for the chosen security policy. */ foreach ($all_rules as $k1 => $arulem) { foreach ($arulem as $k2 => $arulem2) { - if (preg_match($policy_pcre, $arulem2['rule'])) { + if (strripos($arulem2['rule'], "policy {$policy}-ips") !== false) { if (!preg_match('/flowbits\s*:\s*noalert/i', $arulem2['rule'])) { if (!is_array($vrt_policy_rules[$k1])) $vrt_policy_rules[$k1] = array(); @@ -1564,9 +1568,9 @@ function snort_load_vrt_policy($policy, $load_rules_map=true) { unset($arulem, $arulem2); /* If we loaded the ALL_RULES map, */ - /* then release the memory. */ + /* then release the global memory. */ if ($load_rules_map == true) - unset($all_rules); + unset($GLOBALS['all_rules']); /* Return all the rules that match the policy. */ return $vrt_policy_rules; @@ -2075,6 +2079,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { $no_rules_defined = false; /* Load up all the rules into a Rules Map array. */ + $all_rules = array(); $all_rules = snort_load_rules_map("{$snortdir}/rules/"); /* Create an array with the filenames of the enabled */ @@ -2160,7 +2165,7 @@ function snort_prepare_rule_files($snortcfg, $snortcfgdir) { /* Just put an empty file to always have the file present */ snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); - unset($enabled_rules, $all_rules); + unset($GLOBALS['all_rules']); } else { snort_write_enforcing_rules_file(array(), "{$snortcfgdir}/rules/{$snort_enforcing_rules_file}"); snort_write_flowbit_rules_file(array(), "{$snortcfgdir}/rules/{$flowbit_rules_file}"); -- cgit v1.2.3